b'                    NATIONAL ENDOWMENT FOR THE ARTS\n                    OFFICE OF INSPECTOR GENERAL\n\n\n\n\n                     EVALUATION REPORT\n\n            FISCAL YEAR 2008 EVALUATION OF\n              NEA\xe2\x80\x99S COMPLIANCE WITH THE\n            FEDERAL INFORMATION SECURITY\n                MANAGEMENT ACT OF 2002\n\n\n                               REPORT NO. R-09-02\n                                OCTOBER 9, 2008\n\n\n\n\n                           REPORT RELEASE RESTRICTION\nThis report may not be released to anyone outside of the National Endowment for the Arts (NEA)\nwithout the approval of the NEA Office of Inspector General.\n\nInformation contained in this report may be confidential. The restrictions of 18 USC 1905 should be\nconsidered before this information is released to the public.\n\nFurthermore, information contained in this report should not be used for purposes other than those\nintended without prior consultation with the NEA Office of Inspector General regarding its\napplicability.\n\x0c                               INTRODUCTION\nThe Federal Information Security Management Act of 2002 requires an annual evaluation\nby the Inspector General on its agency\xe2\x80\x9fs information security programs and practices.\nThis report presents the results of our evaluation of NEA\xe2\x80\x9fs information security program\nand practices for protecting its information technology (IT) infrastructure.\n\n\n                                BACKGROUND\nThe Federal Information Security Management Act (FISMA) of 2002 was signed into\nlaw on November 27, 2002. It replaced the Government Information Security Reform\nAct (GISRA), which expired in November 2002. The Act requires each federal agency to\ndevelop, document, and implement an agency-wide information security program to\nprovide information security over the operations and assets of the agency. This includes:\n\n       Periodic risk assessments;\n       Policies and procedures that are based on risk assessments;\n       Subordinate plans for providing adequate information security for networks,\n       facilities, information systems, or groups of information systems, as appropriate;\n       Security awareness training to inform employees (including contractors) of the\n       security risks associated with their activities and their responsibilities to comply\n       with those agency policies and procedures designed to reduce those risks;\n       Periodic testing and evaluation of the effectiveness of information security\n       policies;\n       A process for planning, implementing, evaluating, and documenting remedial\n       action to address any deficiencies in the information security policies, procedures,\n       and practices, of the agency;\n       Procedures for detecting, reporting, and responding to security incidents; and\n       Plans and procedures to ensure continuity of operations of the agency\xe2\x80\x9fs\n       information systems.\n\n\nOffice of Management and Budget (OMB) Memorandum M-08-21, dated July 14, 2008,\nentitled \xe2\x80\x9cFY 2008 Reporting Instructions for the Federal Information Security\nManagement Act and Agency Privacy Management,\xe2\x80\x9d updates instructions to Senior\nAgency Officials for Privacy, Chief Information Officers and Inspectors General for\nreporting their 2008 information to OMB.\n\nThe National Institute of Standards and Technology (NIST), which has the responsibility\nfor developing technical standards and related guidance, has issued numerous\npublications including An Introduction to Computer Security: The NIST Handbook. This\npublication explains important concepts, cost considerations, and interrelationships of\nsecurity controls as well as the benefits of such controls. NIST also has published a\nGuide for Developing Security Plans for Information Technology Systems. In addition,\n\n                                            2\n\x0cguidance is found in the Government Accountability Office publication, Federal\nInformation System Controls Audit Manual (FISCAM). NIST has also issued Special\nPublication 800-37, Guide for the Security Certification and Accreditation of Federal\nInformation Systems; Special Publication 800-53, Recommended Security Controls for\nFederal Information Systems; and FIPS PUB 199, Standards for Security Categorization\nof Federal Information and Information Systems.\n\nNEA\xe2\x80\x9fs Office of Information and Technology Management (ITM) maintains and\noperates two of the Agency\xe2\x80\x9fs three core systems on a local area network (LAN). These\nare the Grants Management System (GMS), which contains information on grant\napplications and the Automated Panel Bank System (APBS), which contains information\non panelists who review grant applications. NEA has contracted with the Department of\nTransportation Enterprise Service Center to host NEA\xe2\x80\x9fs Financial Management System\n(FMS) through its Delphi Financial Management System. In addition, NEA operates\nsupport systems including electronic mail, and internet and intranet services.\n\nThe Chief Information Officer (CIO) is responsible for developing policies and\nprocedures to ensure that security is provided over NEA\xe2\x80\x9fs networks.\n\n\n                         OBJECTIVE AND SCOPE\nThe objective of the evaluation was to determine the adequacy of NEA\xe2\x80\x9fs information\ntechnology (IT) security program and practices. In the past, this included a review of\nNEA\xe2\x80\x9fs IT security policies and procedures, interviews with responsible agency officials\nmanaging the IT systems, and tests on the effectiveness of security controls. This year the\nFISMA guidance included additional questions on privacy.\n\n\n                            PRIOR EVALUATION\nThe NEA Office of Inspector General issued a report entitled \xe2\x80\x9cFiscal Year 2007\nEvaluation of NEA\xe2\x80\x9fs Compliance with the Federal Information Security Act of 2002\xe2\x80\x9d\n(Report No. R-08-01) dated October 18, 2007. The report had two recommendations,\nboth of which were resolved; however, only Recommendation 2 was implemented.\nDuring our review, we found that ITM is not reporting weaknesses identified in its\nself-assessment (POA&Ms) in its quarterly FISMA reports as required by OMB.\n\n\n\n                          EVALUATION RESULTS\nOur current evaluation determined that there are several issues that need to be addressed\nby NEA\xe2\x80\x9fs Office of Information and Technology Management. These issues are related\nto the risk assessment, updating the Continuity of Operations (COOP) and Security Plan,\nimplementing procedures related to change management, IT Security Awareness training,\n                                            3\n\x0c IT policies and procedures, and reporting of POA&Ms on the quarterly FISMA reports.\n Details are presented in the following narrative.\n\n Risk Assessment\n\n SeNet International Corporation (SeNet) performed the latest risk assessment, the results\n of which were issued on August 28, 2008. The review concluded the following:\n\n        The implementation and management of the security architecture supporting the\n        National Endowment for the Arts enterprise network appears to require\n        strengthening in order to more effectively restrict unauthorized internal access to\n        information resources.\n\n The review cited the following weaknesses:\n\n         Web applications were discovered that are vulnerable to SQL Injection;\n         Web applications were discovered that are vulnerable to Cross-Site Scripting\n\n\nThe report also stated that the NEA Continuity of Operations Plan (COOP) was weak.\nThe COOP was reviewed against the guidance provided in the Federal Emergency\nManagement Agency (FEMA) Federal Preparedness Circular (FPC-65), the NIST 800-\n34, \xe2\x80\x9cContingency Planning Guide for Information Technology Systems\xe2\x80\x9d and the NIST\n800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information Systems.\xe2\x80\x9d The report\nnoted the following deficiencies:\n\n        The plan does not contain contact information for key personnel;\n        The plan does not identify any Vital Records and Databases;\n        The current section on Mission Essential Functions does not clearly identify the\n        critical NEA functions which must be continued under all circumstances as\n        required by the PFC-65;\n        The plan mentions \xe2\x80\x9cProcuring needed services and/or equipment\xe2\x80\x9d but does not\n        provide a list of vendors and their contact information;\n        The plan does not list contact information for customers or other agencies (NEA\n        Panel and National Council of Arts) that NEA may be required to contact and\n        inform regarding the emergency and COOP activation;\n        The plan does not define in detail where the work will be performed in the 30\n        days during the COOP period using an alternate site;\n        The COOP does not clarify steps that will be taken to ensure strategy for critical\n        personnel to continue operating at an alternate facility or remotely; and\n        The plan does not reference the existence of any contingency/disaster\n        recovery/business continuity plans which may exist.\n\n\n\n\n                                              4\n\x0cITM included revision of the COOP in the 2007-2008 POA&M Summary. We\nrecommend that ITM revise the COOP and implement corrective actions to address the\ndeficiencies noted in the SeNet report.\n\nE-Authentication Risk Assessment\nOMB Memorandum 04-04 issued December 16, 2003, directed \xe2\x80\x9cagencies to conduct \xe2\x80\x9ee-\nauthentication risk assessments\xe2\x80\x9f on electronic transactions to ensure that there is a\nconsistent approach across government.\xe2\x80\x9d The guidance applies to \xe2\x80\x9cremote authentication\nof human users of Federal agency IT systems for the purposes of conducting government\nbusiness electronically (or e-government).\xe2\x80\x9d\n\nThe 2008 FISMA guidance issued by OMB asks Inspectors General to determine whether\nthe agency has identified all e-authentication applications and validated that the\napplications have operationally achieved the required assurance level in accordance with\nthe NIST Special Publication 800-63, \xe2\x80\x9cElectronic Authentication Guidelines.\xe2\x80\x9d NEA ITM\ndetermined that an e-authentication risk assessment of NEA systems was not required\nsince its systems are not internet-based, are not available to users outside of the Agency\xe2\x80\x9fs\nfirewall, and do not require authentication from users on the outside. Based on our\nreview, we agree that NEA ITM is not required to perform the e-authentication risk\nassessment.\n\nNIST Self-Assessment\nITM conducted its 2007 self-assessment using the controls found in the National Institute\nof Standards and Technology (NIST) Special Publication 800-53, \xe2\x80\x9cRecommended\nSecurity Controls for Federal Information Systems.\xe2\x80\x9d The primary issues identified in this\nassessment included the lack or revision of written policies regarding the Security Plan,\nContinuity of Operation Plan (COOP), media protection, and system and service\nacquisition. In our prior review, we recommended that weaknesses identified in the self-\nassessment be included in NEA\xe2\x80\x9fs Plans of Action and Milestones (POA&Ms), which is\nupdated quarterly and submitted to the Office of Management and Budget. Our review\nfound that this had not been implemented. Therefore, we will repeat the previous\nrecommendation.\n\nSecurity Plan\n\nNEA issued its security plan for each of its in-house GMS and APBS systems that\naddressed FISMA and OMB requirements in September 2004. The development of\nsecurity plans are an important activity in an Agency\xe2\x80\x9fs information security system that\ndirectly supports the security accreditation process required under FISMA and OMB\nCircular A-130. Security plans should ensure that adequate security is provided for all\nAgency information collected, processed, stored, or disseminated in NEA\xe2\x80\x9fs general\nsupport systems and major applications. We noted changes to the NEA Network.\nHowever, the last update for the NEA Security Plan was June 2007. ITM has advised us\nthat the plan is currently being updated.\n                                             5\n\x0cPrivacy Reporting and Privacy Impact Assessment\n\nThe 2008 FISMA guidance included additional questions on security and privacy\npolicies, which requires agencies to submit information on the types of privacy reviews\nconducted, policies, and privacy issue allegations. This guidance specifically relates to\nOMB Memorandum M-08-09, dated January 18, 2008, \xe2\x80\x9cNew FISMA Privacy Reporting\nRequirements for FY 2008.\xe2\x80\x9d OMB also directed agencies to submit their most current\ndocumentation related to OMB Memorandum M-07-16, \xe2\x80\x9cSafeguarding Against and\nResponding to the Breach of Personally Identifiable Information,\xe2\x80\x9d (PII). OMB\nMemorandum M-07-16 requires agencies to review their use of SSNs, in agency systems\nand programs, in order to identify instances in which collection or use is superfluous.\n\nTo comply with the requirements above, NEA\xe2\x80\x9fs ITM has:\n\n       Implemented PII policies regarding breach notification and rules of behavior;\n       Completed technical security assessments to evaluate the level of security\n       protecting NEA IT assets;\n       Reviewed PII holdings and updated the system of records notice (SCORNs) to\n       include OMB recommended \xe2\x80\x9croutine uses\xe2\x80\x9d of PII language; and\n       Modified security orientation and privacy training for all NEA staff to include\n       responsibility to protect Agency information and technology assets.\n\nITM\xe2\x80\x9fs review of PII holdings determined that NEA collects only PII that is relevant and\nnecessary for administrative purposes and determined that there are adequate\nadministrative, technical and physical safeguards in place for the PII collected. NEA\ndoes not use SSNs, truncated SSNs, or any part of SSNs as tracking numbers for its\napplications, grants, cooperative agreements or contracts. NEA does not share PII with\noutside agencies other than for processing payments. ITM indicated there have been no\nreported breaches or security incidents involving PII collected or maintained by the\nAgency.\n\nSection 208 of the E-Government Act (2002) requires that \xe2\x80\x9cagencies ensure sufficient\nprotections for the privacy of personal information as agencies implement citizen-\ncentered electronic Government.\xe2\x80\x9d It further requires agencies to conduct a privacy\nimpact assessment (PIA) and make that assessment available to the public on the agency\nwebsite.\n\nNEA has reviewed the PIA requirements and identified four external systems where PIAs\nare required (Personal Identity Verification Card system, Electronic Official Personnel\nFile System, NFC Payroll System, and Delphi Financial Management System). NEA\xe2\x80\x9fs\ninternal systems do not require PIAs since they were in place prior to the law.\n\n\n\n\n                                            6\n\x0cSecurity Incidents\nNEA has formalized a \xe2\x80\x9cComputer Security Incident Policy\xe2\x80\x9d (revised November 2007),\nwhich (1) identifies the type of activity characterized as a computer security incident, and\n(2) defines the steps to be taken to report a computer security incident. The policy\napplies to all permanent and temporary employees, including contractors who utilize\nNEA\xe2\x80\x9fs computer equipment and systems. Appendix III to OMB Circular A-130 states:\n\n       When faced with a security incident, an agency should be able to respond in\n       a manner that both protects its own information and helps to protect the\n       information of others who might be affected by the incident. To address this\n       concern, agencies should establish formal incident response mechanisms.\n       Awareness and training for individuals with access to the system should\n       include how to use the system\xe2\x80\x99s incident response capability.\n\n\nAny NEA computer security incidents are handled by ITM\xe2\x80\x9fs Computer Security Incident\nTeam (CSIT), which consists of four ITM employees. One employee, who is designated\nas the CSIT coordinator, serves as the team\xe2\x80\x9fs central resource for monitoring computer\nsecurity incidents.\n\nNEA\xe2\x80\x9fs policy states, \xe2\x80\x9cThe CSIT will be comprised of the following staff from the Office\nof Information and Technology Management:\n\n       two representatives from the Customer Services Division (the Director and one\n       additional staff member)\n       two representatives from the Plans, Policy and Programs Division (the Director\n       and one additional staff member)\xe2\x80\x9d\n\nCurrently, NEA ITM does not have a Customer Services Division or a Plans, Policy and\nPrograms Division; therefore, we recommend that the policy be revised to reflect the\nappropriate CSIT staff.\n\nIT Security and Privacy Awareness Training\n\nNIST Special Publication 800-50, Building an Information Technology Security\nAwareness and Training Program and NIST Special Publication 800-16, Information\nTechnology Security Training Requirements: A Role- and Performance-Based Model,\nprovide the standards for security awareness and training. ITM implemented agency-\nwide training in 2005. ITM combined IT Security and Privacy Awareness Training in the\nFY 2008 Annual Refresher Training.\n\nThe August 2008 SeNet report noted that the Security Awareness and Training Policy\nwas a sound basic document. However, to make the policy \xe2\x80\x9cmore explicit, robust, and\ncompliant with Federal guidance,\xe2\x80\x9d SeNet made several recommendations and suggestions\nto improve the policy. We recommend that ITM revise the Security Awareness and\nTraining Policy to include the recommended changes and implement the suggested\n                                           7\n\x0cchanges in developing all of its policies. In addition, we recommend that ITM implement\nthe following:\n\n            Add an \xe2\x80\x9cAuthority\xe2\x80\x9d section that includes Federal agency requirements which\n            mandate the establishment of the policy;\n            A numbering system to track policies and indicate if it is a revision;\n            Develop a formal policy manual;\n            Notify employees of new policies and place all official policies on the IT\n            Policy webpage on the NEA Intranet; and\n            Include reporting of security incidents procedures in the IT Security\n            Awareness Training.\n\nInventory Controls\nNEA has an inventory of its hardware and has updated its listing as of July 17, 2008. The\nperpetual inventory listing is maintained and updated as equipment is added or deleted.\nThe inventory lists each item by office, barcode number, serial number, manufacturer,\nmodel number and description, as well as the user. It also indicates the date the inventory\nwas taken and the initials of the person who took the inventory.\n\nChange Management\n\nITM issued a \xe2\x80\x9cChange Management Policy/Procedure\xe2\x80\x9d in 2004. This policy \xe2\x80\x9cdescribes\nthe responsibilities, policies, and procedures to be followed by ITM when making\nchanges or recording events to the National Endowment for the Arts IT infrastructure.\xe2\x80\x9d It\ndefines \xe2\x80\x9cchange\xe2\x80\x9d and \xe2\x80\x9cevent\xe2\x80\x9d as follows:\n\n   Change: to transform, alter, or modify the operating environment or standard operating\n   procedures; any modification that could have potential and/or significant impact on the\n   stability and reliability of the infrastructure and impacts conducting normal business\n   operation by our users and ITM; any interruption in building environments (i.e., electrical\n   outages) that may cause disruption to the IT infrastructure.\n\n   Event: any activity outside of the normal operating procedures that could have a potential\n   and/or significant impact on the stability and reliability of the infrastructure, i.e. a request to\n   keep a system up during a normal shutdown period.\n\nThe change management process includes the submission of a change request with\nmanagement approval. During our prior evaluation, it was noted that when we requested\na log and/or copies of such requests, none had been submitted. As a result, a\nrecommendation was made that ITM implement procedures to ensure compliance with\nthe NEA Change Management Policy. This year, we again requested copies of\ncompleted change management request forms and reviewed the ITM Change Request\nFolder, located on the server. Our evaluation found that there were no submissions\nduring FY 2008. We recommend that ITM implement procedures to ensure compliance\nwith the NEA Change Management Policy.\n\n\n                                                   8\n\x0cFinancial Management System\nNEA has an agreement with the U.S. Department of Transportation (DOT) to utilize the\nEnterprise Service Center\xe2\x80\x9fs (ESC) Oracle Federal Financials System, Delphi, as their\nfinancial management system. OMB requires that such service organizations provide\nclient agencies with an independent report describing system controls. To comply with\nthis requirement, DOT OIG hired an independent contractor, Clifton Gunderson, LLP, to\nconduct a review on the computer controls over the information technology and data\nprocessing environment, as well as the input processing, and output controls built into the\nDelphi system.\n\nThe independent contractor rendered an opinion on the effectiveness of those controls for\nthe nine-month period from October 1, 2007 through June 30, 2008. The audit concluded\nthat the \xe2\x80\x9ccontrols of ESC Services presents fairly, in all material respects, the relevant\naspects of ESC\xe2\x80\x9fs controls that had been placed in operation as of June 30, 2008. In\naddition, controls \xe2\x80\x9care suitably designed to provide reasonable assurance that the\nspecified control objectives would be achieved if the described controls were complied\nwith satisfactorily and the user organizations applied the controls contemplated in the\ndesign of ESC controls.\xe2\x80\x9d The exceptions are \xe2\x80\x9clogical access and segregation of duties\nconcerning the CASTLE 1 system operations.\xe2\x80\x9d CASTLE is used to support DOT\noperations only.\n\nPayroll System\n\nNEA uses the Department of Agriculture (USDA) National Finance Center as its payroll\nprovider. The latest Statement on Auditing Standards Number 70 (SAS 70) Review of\nthe Department of Agriculture Office of the Chief Financial Officer/National Finance\nCenter (OCFO/NFC) issued by the USDA OIG was for fiscal year 2007. This review\nconcluded that the OCFO/NFC\xe2\x80\x9fs \xe2\x80\x9cdescription of controls presented fairly, in all material\nrespects, the relevant aspects of OCFO/NFC.\xe2\x80\x9d Also, in their opinion, \xe2\x80\x9cthe controls\nincluded and/or referenced in the description, as updated, were suitably designed to\nprovide reasonable assurance that associated control objectives would be achieved if the\ndescribed policies and procedures were complied with satisfactorily and customer\nagencies applied the controls specified in the OCFO/NFC description of controls.\xe2\x80\x9d\n\nThe 2007 USDA report described \xe2\x80\x9cweaknesses in OCFO/NFC internal control policies\nand procedures that may be relevant to the internal control structure of OCFO/NFC\ncustomer agencies.\xe2\x80\x9d The report further stated that \xe2\x80\x9cas of August 30, 2007, OCFO/NFC\nhad corrected or was in the process of correcting the exceptions identified.\xe2\x80\x9d\n\nThe 2008 USDA SAS 70 Report on the National Finance Center was not available at the\ntime of our evaluation in September 2008. We recommend that NEA ITM provide us\nwith a copy of the report as soon as it becomes available.\n\n\n1\n    Consolidated Automated System for Time and Labor Entry (CASTLE).\n                                                  9\n\x0c                           EXIT CONFERENCE\nAn exit conference was held with NEA\xe2\x80\x9fs CIO on October 7, 2008. The CIO generally\nconcurred with our recommendations and has agreed to initiate corrective actions.\n\n\n\n                          RECOMMENDATIONS\nWe recommend that the NEA Office of Information and Technology Management:\n\n   1. Respond and implement procedures to address weaknesses found during the risk\n      assessment.\n\n   2. Revise the COOP to address the deficiencies noted in the SeNet report.\n\n   3. Include corrective actions for weaknesses identified in NEA\xe2\x80\x9fs Plans of Action and\n      Milestones (POA&Ms), which are more than 90 days beyond the planned\n      remediation date, in its quarterly FISMA report as required by the Office of\n      Management and Budget.\n\n   4. Revise the Computer Incident Policy to reflect the appropriate CSIT staff.\n\n   5. Implement standard procedures for developing policies, which will ensure that\n      only approved policies are issued. It should also implement procedures to ensure\n      that policies are made available to employees.\n\n   6. Provide the Office of Inspector General with a copy of the 2008 Statement on\n      Auditing Standards Number 70 (SAS 70) Review of the Department Agriculture\n      National Finance Center.\n\n\n\n\n                                          10\n\x0c'